Cyber Insurance in 2026: What Carriers Actually Demand — And How to Stay Insurable

The renewal is no longer a negotiation. It's an audit.

If your last cyber insurance renewal felt more like a security assessment than a pricing conversation, you're not imagining things.

Carriers in 2026 have fundamentally changed how they underwrite cyber risk. The days of filling out a questionnaire and getting a quote are over. Underwriters now request evidence: screenshots, configuration exports, tabletop exercise reports, and third-party scan results. They're not asking if you *have* MFA. They're asking you to *prove* it's enforced on every admin account, VPN, and email system.

For organizations that are prepared, this is actually good news. Premiums are stabilizing, and most renewals are landing between -5% and +5% year-over-year. But for companies with gaps in basic controls? Expect double-digit premium increases, reduced coverage, or outright declinations.

The bottom line: Insurability is no longer about buying a policy. It's about earning one.

---

The Non-Negotiables: What Every Carrier Requires

Underwriters have converged on a set of baseline controls that are now table stakes. If you can't demonstrate these, you won't get favorable terms, and you may not get a policy at all.

**Key Insight:** Carriers aren't inventing these requirements. They're drawn directly from frameworks like [NIST CSF](https://www.nist.gov/cyberframework) and [CIS Controls](https://www.cisecurity.org/controls). If you're aligned to a recognized framework, you're already most of the way there.

---

NIST CSF 2.0: The New Underwriting Standard

Here's the shift that many organizations haven't caught yet: NIST CSF 2.0 has become the de facto framework that underwriters use to evaluate security maturity.

The updated framework added a sixth function, GOVERN, which sits at the center of the wheel and emphasizes organizational accountability, risk strategy, and board-level oversight. This isn't a coincidence. Carriers want to see that security isn't just an IT function. It's a business function with executive sponsorship.

What this means practically:

Governance documentation is now part of the underwriting package: policies, risk registers, committee charters

Continuous improvement evidence matters more than point-in-time assessments

Board reporting cadence is being asked about directly on applications

Risk appetite statements distinguish mature programs from checkbox exercises

Organizations aligned to NIST CSF 2.0 are consistently getting better terms, lower premiums, and broader coverage than those operating without a framework.

---

Emerging Underwriting Focus Areas

Beyond the baseline controls, three new areas are getting increased scrutiny in 2026:

1. AI Risk Governance

Carriers are beginning to ask about AI usage, not because they fully understand it yet, but because they recognize the liability exposure. Expect questions like:

*"Do you have an AI acceptable use policy?"*

*"How do you prevent sensitive data from entering AI systems?"*

*"Are you using AI in any customer-facing decisions?"*

Organizations with a formal AI governance program are ahead of the curve. Those without one are creating uninsurable blind spots.

2. Board-Level Cyber Oversight

The SEC's cyber disclosure rules and evolving director liability case law (Caremark, Boeing) have made board governance a hot topic for insurers. They want to know:

Does the board receive regular cyber risk briefings?

Is there a named committee responsible for cyber oversight?

Can the organization demonstrate "reasonable" security governance?

This is where board advisory services become a strategic asset, not just for governance, but for insurability.

3. Third-Party and Systemic Risk

Cloud concentration risk is the new frontier. Marsh and other major brokers now flag systemic cloud dependency as a top underwriting concern. Carriers are asking: *"What happens if AWS goes down for 72 hours?"* or *"How dependent are you on a single SaaS vendor?"*

Expect more granular questions about:

Cloud provider diversification

SaaS vendor security assessments

Supply chain incident response plans

---

How Coverage Terms Are Shifting

Even if you qualify for a policy, the terms are changing in ways that matter:

Ransomware Coverage Caps: Many carriers are capping ransomware payouts at a percentage of the total policy limit (often 50%) or adding sub-limits with separate deductibles. Some are excluding ransomware payments entirely and only covering recovery costs.

Betterment Exclusions: If a breach forces you to rebuild infrastructure, carriers increasingly exclude "betterment" costs, the difference between restoring to pre-incident state versus building something better. This means your post-breach security improvements come out of pocket.

War and State-Sponsored Exclusions: Following the 2022 Lloyd's directive, most policies now exclude nation-state attacks. The challenge? Attribution is murky, and this exclusion is being tested in courts.

Waiting Periods: Some carriers are introducing 8-12 hour waiting periods before business interruption coverage kicks in, reducing payouts for short outages.

**Board Brief:** Tell your directors: *"Cyber insurance is a risk transfer tool, not a risk elimination tool. Coverage gaps are widening in ransomware, infrastructure rebuilds, and state-sponsored attacks. Our strategy must prioritize prevention and resilience, not just insurance."*

---

Your 2026 Insurability Checklist

Before your next renewal, confirm you can answer yes to every item:

☐ MFA enforced on all remote access, email, and admin accounts

☐ EDR/MDR deployed with 24/7 monitoring

☐ Immutable/offline backups with documented restore test (last 12 months)

☐ Written incident response plan, tested via tabletop exercise

☐ Privileged access management in place

☐ Employee security awareness training with phishing simulation results

☐ NIST CSF (or equivalent framework) alignment documented

☐ Board receives quarterly cyber risk briefings

☐ Third-party/vendor risk assessment program active

☐ AI acceptable use policy in place

If you answered "no" to more than two items, your renewal is at risk.

---

How I Help

I work with organizations as a Fractional CISO to close exactly these gaps, not just for insurability, but for genuine risk reduction. Here's what that looks like:

Compliance Program Development: Build the SOC 2, ISO 27001, or NIST CSF alignment that carriers reward with better terms

Security Architecture Reviews: Validate that your technical controls actually meet underwriting requirements

Board Advisory: Create the governance documentation and reporting cadence that demonstrates mature oversight

AI Governance Programs: Get ahead of the emerging AI risk questions before they become renewal blockers

The best time to prepare is before your renewal. Schedule a discovery call to assess your insurability posture and build a plan that satisfies both your carrier and your board.